Patch Analysis for October 2005

Well, last month Microsoft released 0 patches but they made up for it on yesterday's Patch Tuesday. Nine bulletins in all. Most of this month's patches are primarily workstation related risks that you can wait to deploy until you finish a full round of testing in your environment. However I recommend loading the Internet Explorer patch (MS05-052) on workstations as soon as possible, with little or no testing depending on where your organization falls in the vulnerability vs. stability range. The most important patch that effects servers one dealing with the Collaboration Data Objects (CDO) vulnerability MS05-048. Be sure to assess your exposure to that risk. 2 trends continue this month. First, XP SP2 and Windows Server 2003 SP1 continue to come out less scathed than earlier versions of Windows for many vulnerabilities. I have to give Microsoft credit for making progress on these 2 post-Trustworthy Computing iniative releases. Second, following best practices such as refraining from dangerous activities (i.e. web browsing) while logged on at a server and disabling unneeded features continue to reduce your exposure to future vulnerabilities.

This critical vulnerability allows an attacker to execute arbitrary code under the current user’s authority on all versions of Windows. This is primarily a workstation risk since the attacker must succeed in getting the user to view a malicious webpage or a specially crafted AVI file. Best practice prohibits viewing web content and other activities such as opening untrusted files, reading email, etc while logged on at a server. At this time no proof-of-concept code or actual attacks have been reported so most organizations will choose to perform normal testing before deploying this patch. (DirectShow is the Windows component that handles streaming media from web sites, DVDs, AVI files, etc.)

Assuming you follow best practice and limit activities while logged on to servers interactively or via remote desktop to built-in MMCs, you should be able to avoid loading this patch on servers. Workstations however should be patched after light testing.

This critical bulletin covers several vulnerabilities with different types of impact. The worst impact associated with this bulletin is root access in which a remote attacker sends a specially crafted network message on the targeted system which results in execution of arbitrary code under the authority of the operating system itself thereby gaining complete control. Root access impact is limited to Windows systems prior to Windows XP SP2 and Windows Server 2003 SP1. Many back level systems on your network will have limited or nor vulnerability depending on the status of Microsoft Distributed Transaction Coordinator (MSDTC), the Transaction Internet Protocol (TIP) and COM+. To assess your exposure to root access impact of this bulleten analyze the Mitigating Factors for MSDTC and COM+ vulnerabilities in MS05-051. MSDTC is the distributed transaction techonology in Windows and is used by SQL Server, BizTalk Server, Exchange Server, Message Queuing and cluster environments.

Another impact of this bulletin is local privilege escalation in which a user can elevate his privileges and gain administrator authority to the system where he is currently logged on. This impact is only relevant if you have a locked down workstation environment where users are not already members of the local Administrators group on their workstations or in Terminal Services user mode environments.

The final impact of this bulletin is denial of service. All versions of Windows are potentially exposed to this vulnerability however exposure really depends on the status of MSDTC and the TIP component of MSDTC. Windows 2000 has the highest exposure.

Bottom line: you can probably avoid loading this patch if your network consists of Windows XP SP2 and Windows Server 2003 SP1 and if you don’t use a locked down desktop environment. For other vulnerable systems carefully read the mitigating factors and workarounds before determining which systems must receive the patch.

MS05-052 - Cumulative Security Update for Internet Explorer (896688)

This critical vulnerabilty allows an attacker to execute arbitrary code under the authority of the current user. To exploit the vulnerability the attacker must trick the user into opening a specially crafted web page in Internet Explorer. Provided best practice is followed when administrators log on to a server interactively or via remote desktop, risk is limited to workstations and Terminal Services user mode environments.

Bottom line: you should load this fix on Windows workstations as soon as possible. Since this vulnerability is already being exploited on the Internet and proof of concept code already exists publicly, this patch should be deployed before testing is complete especially for workstations of users with access to important applications and information.

MS05-046 - Vulnerability in the Client Service for NetWare Could Allow

Remote Code Execution (899589)

This vulnerability only affects Windows systems with CSNW (Client Service for NetWare) or GSNW (Gateway Service for Netware) which is not installed by default on any version of Windows. Given thate there are no reports of this vulnerability being exploited in actual attacks, that there is no proof of concept code public at this time and that CSNW/GSNW is not a core component of Windows it is likely it won’t be immediately targeted.

Bottom line: If you have Netware servers and use CSNW consider loading this patch after complete testing in your environment.

MS05-047 - Vulnerability in Plug and Play Could Allow Remote Code Execution

and Local Elevation of Privilege (905749)

This vulnerability could allow a remote but authenticated user to gain root access to Windows 2000 and XP SP1 systems but not Windows Server 2003. Risk on XP SP2 systems is limited to local privilege escalation by a user logged on interactively or via remote desktop. Your Windows 2000 servers are at risk from malicious users with a valid user account. Pre XP SP2 systems are also at risk to remote attack if ports 139 or 445 are open. This is only a risk to XP SP2 in locked down desktop environments in which end users are not members of the local Administrators group.

Bottom line: In locked down desktop environments, load this patch after full testing. For Windows 2000 and pre XP SP2 systems you may decide to load this patch after full testing. Other organizations will choose not to load the patch since risk is limited to “trusted” users and there is currently no proof-of-concept code public.

MS05-048 - Vulnerability in the Microsoft Collaboration Data Objects Could

Allow Remote Code Execution (907245)

This important vulnerability allows a remote attacker to gain complete control of a system using a specially crafted SMTP email. The vulnerability affects all versions of Windows and Exchange Server 2000 however there are significant prerequisites for a successful attack. First the computer must be running Exchange Server 2000 or have IIS 5 or 6 installed with the SMTP service active. Futhermore, an application must be actively using a certain feature of the SMTP service , Collaboration Data Objects (CDO). CDO is a COM component widely used by applications that create email messages or applications add functionality to SMTP or Exchange servers. An application that uses CDO only opens this vulnerability if the application uses CDO’s event sinks in an unpublished “vulnerable manner” (see http://www.sec-1.com/applied_hacking_course.html). Event sinks are “user exits” that allow an application to step-in the the middle of SMTP’s handling of a message and perform additional processing (e.g. an anti-spam product or email archive solution). To determine if a system running SMTP is vulnerable to this exploit you can run “cscript.exe smtpreg.vbs /enum” which will produce a list of applications that have registered event sink entries with CDO. You can obtain smtpreg.vbs at http://msdn.microsoft.com/library/default.asp?url/library/en-us/smtpevt/html/6b7a017e-981e-45a1-8690-17ff26682bc7.asp. This is primarily a server issue since it should be unusual to have SMTP running on workstations. For servers you identify as vulnerable you should consider the likelihood of the server receiving a malicious message crafted to exploit this vulnerability. Email gateways facing the Internet are the most likely target. It is not clear whether down stream servers are vulnerable to malicious messages forwarded from a patched server.

Bottom line: email servers and gateways exposed to the Internet should be patched as soon as possible; some organizations will deploy the update before testing is complete with all vulnerable servers to follow as soon as testing is complete.

MS05-049 - Vulnerabilities in Windows Shell Could Allow Remote Code

Execution (900725)

This important vulnerability allows an attacker run arbitrary code under the authority of the victim user and applies to all versions of Windows. The attacker must trick the user into opening a specially crafted LNK file (aka shortcut) by sending an email with a link to a page that has the malicious LNK file or luring the user to the page through some other means. Depending on your email server and client policies the attacker may be able to send the LNK file as an attachment. You should be able to avoid loading this patch on servers provided best practice is followed by administrators who log on interactively or via remote desktop (i.e. no web browsing, email usage, etc). There are no reports of this vulnerability being used in actual attacks and there’s no public proof-of-concept code.

This vulnerability allows an attacker who can post a file with a specially formatted file name to an FTP site to override the destination of the file when downloaded by the client. For example: AttackJack creates a file with a special file name and posts it to ftp.public.com. UserB downloads the file using Window’s FTP client. UserB specifies the file should be downloaded to My Documents but the file ends up in c:\windows\system32 because of how the AttackJack formatted the filename. This introduces the risk of trojan horses and other back doors if the attack succeeds in replacing an important system file. Replacement requires the user to allow the transer after an “Overwrite File?” warning. Spam filters, firewall policies restricting FTP downloads also help to mitigate this threat.

Bottom line: This vulnerability is relevant to computers downloading files from FTP sites where malicious content could be posted but due to prerequisites for the attack many organizations will choose to install this patch to workstations only after full testing.

This denial of service vulnerability allows an authenticated but malicious user to send a specially crafted network message to the vulnerable system and temporarily knock out the system’s ability to respond to incoming and outgoing dial-up and VPN connection attempts however the system will evidently recover within a few seconds.

Bottom line: don’t install this patch unless you start experiencing the problem. If you do experience the problem you have a rogue user on your hands.

Since this vulnerability is already being exploited on the Internet and proof of concept code already exists publicly, this patch should be deployed before testing is complete especially for workstations of users with access to important applications and information.

Bottom line: you should load this fix on Windows workstations as soon as possible.

This critical bulletin covers several vulnerabilities with different types of impact.

Bottom line: you can probably avoid loading this patch if your network consists of Windows XP SP2 and Windows Server 2003 SP1 and if you don’t use a locked down desktop environment. For other vulnerable systems carefully read the mitigating factors and workarounds before determining which systems must receive the patch.

Win2000 XP Server 2003 Small Business Server 2003 Small Business Server 2000

None

This vulnerability is relevant to computers downloading files from FTP sites where malicious content could be posted but due to prerequisites for the attack many organizations will choose to install this patch to workstations only after full testing.

For Windows 2000 and pre XP SP2 systems you may decide to load this patch after full testing. Other organizations will choose not to load the patch since risk is limited to "trusted" users and there is currently no proof-of-concept code public.

In locked down desktop environments, load this patch after full testing.

Bottom line: email servers and gateways exposed to the Internet should be patched as soon as possible; some organizations will deploy the update before testing is complete with all vulnerable servers to follow as soon as testing is complete.

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime.

"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"

"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."